The issue occurs when the naPrdMgr.exe process attempts to run the
C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file.
Because of a lack of quotes the naPrdMgr.exe process first tries to
run C:\Program.exe. If that is not found it tries to run C:\Program
Files\Network.exe. When that is not found it finally runs the
EntVUtil.EXE file that it was originally intending to run. A malicious
user can create an application named Program.exe and place it on the
root of the C:\ and it will be run with Local System privileges by the
naPrdMgr.exe process. Source code for an example Program.exe is listed
below.

Patches/Workarounds:
The vendor has released knowledge base article kb45256 to address the issue.

Solution one from the vendor:
"This issue is resolved in Patch 12."

Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to
resolve the potential exploit. The new plugin is available as a HotFix
from McAfee Tier III Technical Support."